TCPWave DNS Shield

The future of enterprise-class business to business trusts for performing DNS lookups is here. TCPWave DNS Shield delivers the security, scalability, and manageability necessary to protect a private DNS deployments - where B2B partner’s DNS entries need not be entered manually into the private roots. Fetching the DNS records in a secure fashion from the third party by removing answers that can potentially poison or taint your caches is what DNS Shield brings to the enterprises.  Contact Us to learn more about our DNS Shield appliance and how to secure your B2B DNS communications.

TCPWave DNS Shield

TCPWave is proud to introduce DNS Shield to its suite of products. In organizations designed with an internal private rooted DNS system, caches become vulnerable when they learn tainted data by following referrals into the third party’s DNS systems.  A tainted cache that has learnt about the DNS roots from a third party tries to communicate with those third party’s root servers. In many scenarios, there would be no backbone routing/firewall rules from the tainted cache to the third party’s roots or to the public Internet roots. TCPWave’s DNS Shield is a mechanism with which organizations can manage DNS delegations to third parties and protect their internal namespace. TCPWave’s DNS Shield filters out DNS responses from the third parties that can potentially inject any type of a taint on the internal cache appliances of your organization. TCPWave’s DNS Shield uses a DNS response inspection engine to analyze the DNS responses from the third parties. It gives the legitimate answer to the cache device that has requested the query to the third party. It drops all the remaining information that can potentially poison/taint the cache.

TCPWave’s DNS Shield is available as a Dell OEM appliance and is typically placed between the organization’s cache servers and the third party DNS servers. Each organization’s internal DNS root is configured with a delegation to the TCPWave DNS Shield to perform third party’s DNS lookups. The TCPWave DNS Shield takes the request from the cache and would perform a recursive lookup on the third party’s DNS infrastructure. When the third party’s DNS server responds, the DNS Shield strips out unwanted data that can potentially taint the organization’s caching layer.

Without TCPWave’s DNS Shield

Consider organization A where the internal DNS is not exposed to the public Internet and vice versa, the cache appliances with hints pointing to its internal private roots instead of the public root servers. This means, internal users are not exposed to the public DNS and therefore, they cannot resolve external DNS names. This is a typical setup in organizations that have internal domain name space with absolutely no visibility into the public Internet.

In order for organization A to do business with organization B, the DNS administrator of organization A needs to add a DNS delegation. This delegation is added to the root zone of organization A’s DNS infrastructure.

When organization A’s cache device (shown in yellow) follows the referral, the authoritative servers of organization B give the answer and add an additional section and authoritative section containing information about organization B’s DNS layout. The setup shown above could experience an outage  when the hints file of organization A get overwritten by the  response received from organization B’s DNS responses. Note that the organization A’s cache did not ask about organization B’s roots. The BIND additional and authority section responses that were obtained from organization B can potentially overwrite organization A’s cache’s hints. Since there is no connectivity from the internal namespace of organization A to the public Internet, DNS in the internal corporate network of organization A comes to a grinding halt. The DNS administrator of organization A can remove the DNS delegation to organization B and simply add the required resource records to the DNS root zone. This workaround has its own drawbacks.

  • If organization B makes and change to it’s server IP Addresses due to an upgrade or a disaster recovery cut-over, organization A’s DNS administrator has to catch-up with those changes.
  • Delay in catching up with the third party changes causes impact to the business.
  • If organization A has multiple B2B partners, the DNS administrator of organization A will have a tough time maintaining his root zone.
  • Intelligent load balancing is not possible if organization A’s DNS administrator makes static entries into the root zone.
With TCPWave’s DNS Shield

Organization A where the internal DNS is not exposed to the public Internet and delegates all the third party domains to the TCPWave’s DNS Shield appliances. The cache appliances with hints pointing to internal private roots follow the referral and query the TCPWave DNS Shield appliances. In turn, the TCPWave DNS Shield appliances query the third’s authoritative servers, filter out records that can potentially taint or poison organization A’s caches. The filtered response is seen by the originating client. This secure setup is a scalable solution when an enterprise needs to catch-up with the changes that take place in the third party’s DNS.

DNS Shield between organization A and all its B2B partner (organization B) is shown in the diagram above. The DNS Shied protects organization A from potential DNS cache poisoning by stripping out unwanted data from the DNS responses received from organization B.

With TCPWave DNS Shield your enterprise can benefit from avoiding DNS outages by protecting your internal DNS cache infrastructure with this added security. The key benefits that you derive from the TCPWave’s DNS Shield appliance are:

  1. Avoid delays in reflecting the DNS changes and always stay live.
  2. Protects your internal users from unauthorized DNS responses.
  3. Prevents DNS Cache poisoning
  4. Maintain integrity of internal private DNS by stripping down unnecessary data from the response packets.
  5. Protect your users from DNS spoofing attacks.
  6. Lesser number of firewall rules between the DNS caching devices and B2B DNS servers.

TCPWave Inc’s DNS Shield adds intelligence into the DNS Application layer by discarding unwanted DNS requests and responses that can potentially poison your mission critical DNS infrastructure.